[Owasp-leaders] professionalizing the cybersecurity workforce //OWASP certification

Josh Sokol josh.sokol at owasp.org
Fri Aug 8 17:07:17 UTC 2014


One other thought....these two ideas are not mutually exclusive.  You could
technically do both a "taxonomy of trust" and a certification.

~josh


On Fri, Aug 8, 2014 at 10:03 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I really like this idea Bev.  What if OWASP created a PKI system where any
> security professional could request a key pair.  Then, we could provide a
> mechanism for individuals to validate skills and experience for other
> individuals by "signing" their listed experiences.  Kind of like LinkedIn,
> but actually meaningful.  We could provide the ability to "look up" people
> in the database based on name, skill set, etc.  Some off-the-cuff thoughts,
> but this "taxonomy of trust" (as Bev puts it) sounds far more valuable than
> an actual certification in my opinion.
>
> ~josh
>
>
> On Fri, Aug 8, 2014 at 5:38 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>
>> My two cents: Personally not a fan of "certifications" of anything, but a
>> "taxonomy of trust" might be interesting.
>>
>> Bev
>>
>>
>> On Fri, Aug 8, 2014 at 6:14 AM, Andrew Muller <andrew.muller at owasp.org>
>> wrote:
>>
>>> Who says we're easily distracted?! ;)
>>>
>>> Is the discussion dead or does the community think that certification of
>>> organisations/processes is a worthwhile pursuit and does the Board think
>>> they can lead it?
>>>
>>>
>>> On Thu, Aug 7, 2014 at 11:20 AM, Donald <don.gooden at gmail.com> wrote:
>>>
>>>>  You guys are funny...
>>>>
>>>> Thanks for the laugh...
>>>>
>>>> Enjoy it...
>>>>
>>>> D
>>>>  ------------------------------
>>>> From: (P7N) Jason Johnson <jason.johnson at p7n.net>
>>>> Sent: ‎8/‎6/‎2014 4:33 PM
>>>> To: Jim Manico <jim.manico at owasp.org>; Tobias Glemser
>>>> <tglemser at secuvera.de>
>>>> Cc: owasp-leaders at lists.owasp.org
>>>> Subject: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>> workforce //OWASP certification
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> Crap....I need to get that of my Resume
>>>>
>>>> On August 6, 2014 2:22:05 PM CDT, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>> >I do not doubt that you are a highly experienced ASS, but yes, the
>>>> >cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
>>>> >some beer.
>>>> >
>>>> >Aloha,
>>>> >-
>>>> >Jim Manico
>>>> >@Manicode
>>>> >(808) 652-3805
>>>> >
>>>> >On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de>
>>>> >wrote:
>>>> >
>>>> >>> PS: That's the ASS-Cert and it was a hoax. :)
>>>> >> Sir! You're saying the "certified ASS" I've got proudly printed on my
>>>> >> business cards is a fake :-0? Can't be real.. :)
>>>> >>
>>>> >> I guess the next beer is on you my Hawaiian friend.
>>>> >>
>>>> >> Tobias
>>>> >>
>>>> >>> -----Ursprüngliche Nachricht-----
>>>> >>> Von: Jim Manico [mailto:jim.manico at owasp.org]
>>>> >>> Gesendet: Mittwoch, 6. August 2014 18:26
>>>> >>> An: Tobias Glemser
>>>> >>> Cc: owasp-leaders at lists.owasp.org
>>>> >>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>> >workforce
>>>> >>> //
>>>> >>> OWASP certification [ Z1 UNGESICHERT ]
>>>> >>>
>>>> >>>> Always keep in mind: In 2012 we already had a "Certified
>>>> >Application
>>>> >>>> Security Specialist" promoted at AppSecDC
>>>> >>>
>>>> >>> PS: That's the ASS-Cert and it was a hoax. :)
>>>> >>>
>>>> >>> Aloha,
>>>> >>> --
>>>> >>> Jim Manico
>>>> >>> @Manicode
>>>> >>> (808) 652-3805
>>>> >>>
>>>> >>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser
>>>> ><tobias.glemser at owasp.org>
>>>> >>>> wrote:
>>>> >>>>
>>>> >>>> Hi there,
>>>> >>>>
>>>> >>>> I fully understand the "why is there no OWASP Sticker, pardon me,
>>>> >>>> OWASP Certificate"-question arises year after year. But to quote
>>>> >Jim
>>>> >>>>
>>>> >>>>> 1) Votes among our community have always said "no" to
>>>> >certification
>>>> >>>> As a community driven organization _this_ is the most relevant
>>>> >thing to
>>>> >>>> keep
>>>> >>> in mind in any discussion. If the participants think we should
>>>> >re-think
>>>> >>> the topic,
>>>> >>> because things change over time: Keep on going.
>>>> >>>>
>>>> >>>> Always keep in mind: In 2012 we already had a "Certified
>>>> >Application
>>>> >>>> Security Specialist" promoted at AppSecDC See
>>>> >>>>
>>>> >http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>>>> >>>>
>>>> >>>> Tobias
>>>> >>>>
>>>> >>>>> -----Ursprüngliche Nachricht-----
>>>> >>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>>>> >>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>>>> >>>>> Gesendet: Mittwoch, 6. August 2014 17:17
>>>> >>>>> An: Andrew Muller
>>>> >>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur
>>>> 'x'
>>>> >>>>> Khrotko
>>>> >>>>> (owasp)
>>>> >>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>> >>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
>>>> >>>>>
>>>> >>>>> Hi,
>>>> >>>>>
>>>> >>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO
>>>> >IEC
>>>> >>>>> 27034 Application Security Controls' (hadn't seen before).  Would
>>>> >be
>>>> >>>>> good to see this catch on.
>>>> >>>>>
>>>> >>>>> Gary
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> Gary D. Robinson, CISSP
>>>> >>>>>
>>>> >>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
>>>> >>> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>   Microsoft and ISO kinda beat OWASP to the punch on this one with
>>>> >>>>> 27034.
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>   On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>>>> >>>>> <gary.robinson at owasp.org> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>       Yea instead of cert'ing people or code, can we certify
>>>> >>>>> companies SDLCs for security? Just like a company is certified for
>>>> >>>>> ISO 9001 or others? Would be great to see things like "Acme is
>>>> >OWASP
>>>> >>>>> certified for their secure development processes".
>>>> >>>>>
>>>> >>>>>       If BSIMM or OpenSAMM are anything to go by then education of
>>>> >>>>> employees will be part of that company SDLC cert.
>>>> >>>>>
>>>> >>>>>       Gary
>>>> >>>>>
>>>> >>>>>       Gary D. Robinson, CISSP
>>>> >>>>>
>>>> >>>>>       On 6 Aug 2014, at 11:36, Andrew Muller
>>>> >>>>> <andrew.muller at owasp.org> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>           OWASP is good at writing guidance (code review guide)
>>>> >and
>>>> >>>>> standards (ASVS), so I don't think we should pollute the brand
>>>> >with
>>>> >>>>> certifications. We could possibly look at certifying organisations
>>>> >>>>> compliance with these standards but even this stinks of conflict
>>>> >and
>>>> >>>>> erosion of the OWASP brand.
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>           My 2c
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>           On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>>>> >>>>> <eoin.keary at owasp.org> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>               Id love to do something like this but I'm unsure if
>>>> >>>>> getting students to test production code would warrant any type of
>>>> >>>>> robust certification. To certify code / help ensure it is secure,
>>>> >we
>>>> >>>>> really need to build security in rather than just test.
>>>> >>>>>               Certification would have to be a combination of
>>>> >design
>>>> >>>>> review, source code analysis and testing. Similar to asvs level 4?
>>>> >>>>>               This would take tons of work and require a dedicated
>>>> >>>>> experienced assessment team.
>>>> >>>>>
>>>> >>>>>               -ek
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>               Eoin Keary
>>>> >>>>>               Owasp Global Board
>>>> >>>>>               +353 87 977 2988
>>>> >>>>> <tel:%2B353%2087%20977%202988>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>               On 6 Aug 2014, at 02:41, Larry Conklin
>>>> >>>>> <larry.conklin at owasp.org> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>                   Hi Jim I would also like to see us move into
>>>> >>>>> certification but instead of certifying people. I think we should
>>>> >>>>> consider software. A certification like what Underwriters
>>>> >>>>> Laboratories offers with  their "Seal of Approval". We could start
>>>> >>>>> small certifying software scanners. We can offer a free
>>>> >>>>> application(s) with known vulnerabilities that vendors can run
>>>> >their
>>>> >>>>> code against to measure how well their scanner finds and reports
>>>> >the
>>>> >>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby,
>>>> >and
>>>> >>>>> Javascript. We could also allow members to run their open source
>>>> >and
>>>> >>>>> third party application against our code base to we could collect
>>>> >>>>> comprehensive measurement of the effectiveness of each vendor
>>>> >scanner
>>>> >>>>> (both open source and third party) and make this available to
>>>> >>>>> everyone who is considering buying a scanner or a SAS service to
>>>> >scan
>>>> >>> software. The last thing we could do would be to offer our own "seal
>>>> >of
>>>> >>> approval" if the vendor allowed us to independently test their code.
>>>> >>>>> This would also be a great summer of code for some students. We
>>>> >don't
>>>> >>>>> need to start big we just need to start. I have never seen an
>>>> >>>>> independent study of FindBugs  that is not part of a research
>>>> >paper
>>>> >>>>> and compares other tools. Just my two cents.  Hope you all miss
>>>> >the
>>>> >>>>> majority
>>>> >>> of the hurricanes.  Stay safe!
>>>> >>>>> Larry
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>                   On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
>>>> >>>>> <jim.manico at owasp.org> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>                       I personally think OWASP should go full boar
>>>> >>>>> into AppSec professional certification, but there are real
>>>> >obstacles
>>>> >>>>> preventing it from happening right now.
>>>> >>>>>
>>>> >>>>>                       1) Votes among our community have always
>>>> >said
>>>> >>>>> "no" to certification
>>>> >>>>>
>>>> >>>>>                       2) The operational overhead with
>>>> >certification
>>>> >>>>> is very significant, and we are in the process of rebooting
>>>> >>>>> operations with Virtual, our new HR firm
>>>> >>>>>
>>>> >>>>>                       3) We would be forced to keep exam questions
>>>> >>>>> in secret which is against our bylaws
>>>> >>>>>
>>>> >>>>>                       I think that if Virtual succeeds in maturing
>>>> >>>>> operations as I hope and pray that they do, we might be able to
>>>> >>>>> reconsider. But right now I feel we need to put our energies into
>>>> >>>>> current efforts.
>>>> >>>>>
>>>> >>>>>                       Respectfully,
>>>> >>>>>                       --
>>>> >>>>>                       Jim Manico
>>>> >>>>>                       @Manicode
>>>> >>>>>                       (808) 652-3805 <tel:%28808%29%20652-3805>
>>>> >>>>>
>>>> >>>>>                       On Aug 5, 2014, at 2:24 PM, "Timur 'x'
>>>> >Khrotko
>>>> >>>>> (owasp)" <timur at owasp.org> wrote:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>                           See the item from the SANS newsletter
>>>> >>>>> below. (For my taste the last two sentences in it are more
>>>> >important
>>>> >>>>> in principle, and in my perspective the main topic of US national
>>>> >>>>> association is obviously ... abstract.) The question is what do
>>>> >you
>>>> >>>>> think about OWASP engaging in AppSec specialists' certification?
>>>> >>>>> (Probably the question is not new, and we do not follow ISACA
>>>> >>>>> deliberately, then please send me a link to some discussion about
>>>> >>>>> it.) Wouldn't it be nice to create a methodology to train and
>>>> >examine
>>>> >>>>> the AppSec professionals in domains where we supply knowledge and
>>>> >>>>> tools (dev, test and ... management)?! (I guess it can make our
>>>> >brand
>>>> >>>>> more interesting for the AppSec crowd, bring more money and make
>>>> >>> dissemination of our tools easier).
>>>> >>>>>
>>>> >>>>>                           ~timur
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>                            --Study Calls for Cyber Security
>>>> >>>>> Professional Organization
>>>> >>>>>                           (July 28 & August 1,
>>>> >>>>> 2014)
>>>> >>>>>                           A study from the Pell Center at Salve
>>>> >>>>> Regina University in Rhode Island
>>>> >>>>>                           acknowledges that "there are not enough
>>>> >>>>> people equipped with the
>>>> >>>>>                           appropriate knowledge, skills, and
>>>> >>>>> abilities to protect the information
>>>> >>>>>                           infrastructure, improve resilience, and
>>>> >>>>> leverage information technology
>>>> >>>>>                           for strategic advantage." The report
>>>> >>>>> "proposes the creation of a
>>>> >>>>>                           national professional association in
>>>> >>>>> cybersecurity to solidify the field
>>>> >>>>>                           as a profession, to support individuals
>>>> >>>>> engaged in this profession, to
>>>> >>>>>                           establish professional standards,
>>>> >>>>> prescribe education and training, and
>>>> >>>>>                           ... to support the public good."
>>>> >>>>>
>>>> >>>>>   http://pellcenter.salvereginablogs.com/cybersecurity-report-
>>>> >>>>>
>>>> >recommends-path-to-professional-standards-in-cybersecurity-industry/
>>>> >>>>>
>>>> >>>>>
>>>> >http://www.fiercecio.com/story/pell-study-calls-creation-national-
>>>> >>>>> professional-cybersecurity-association/2014-08-01
>>>> >>>>>                           Study:
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >http://pel
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: APG v1.1.1
>>>>
>>>> iQJDBAEBCgAtBQJT4o+WJhxKYXNvbiBKb2huc29uIDxqYXNvbi5qb2huc29uQHA3
>>>> bi5uZXQ+AAoJEESGuCi6L62Mo60QAJ6CdDNbwkiUDW0sC9xecZpqzOGgw8BdoGx6
>>>> owrel22CSFgFnWhHmFfd/cHBQhaYwnNV1WAr92tRiQiwGQUitcvjK7C6FoGDA46V
>>>> rLC+6EbpRT7PEGzXBlUD4mBZaWzLENhgRsmtwyuo4XKPWOE9nnR61qMFlPFc0nqI
>>>> 5x8d2FEziI0CNNRHdGh311nWRS4I6XOsXj3o94q41PaziBPROV1UYJ0A8cJegn3U
>>>> JbmEBR/fNsmX1LfXwjWGDJpS5Wknd0qndioL1/NBw0p7yP6cVR/Yd3UaV+w/gY1t
>>>> x+05MwM3mKoPCSo+RJn6lsp3gK58HEx4qFnMd3JHNJGDK1/4oBNC+FoalTy1fqp1
>>>> qk35gdo8OoGcJdkeBv5yt0qESrJDyy1jfRYr4/aL3ASFntfNB7QiUeU+dAyhdhb1
>>>> Dvxp76kcTHjycoyxJbxeVck1xv+2MjiVEqfjKNxqysU3Q1RaBv54FDFFLDwnW9xy
>>>> m1W6v0q/+5QH/d+47CQG1hBJU+s25hGoEWCNQfTDCvq3bHuUszuL0eDhiu2ffTtg
>>>> 6z/Tp5kW+Nli/5JqwBjtScEmVgacGvBKb9EQpnv/IZ6mBAh5ax5zz5UeN3Z83ACO
>>>> FWjq1bXtskcYpj0mrZ+xFZ/6q60xtBMbfF80SF7gtFU2/mvZOSTs7UmSH4J+C5/x
>>>> Eum/vR4p
>>>> =8Sf/
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> ____________________
>>> *Andrew Muller*
>>> Canberra OWASP Chapter Leader
>>> OWASP Testing Guide Co-Leader
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140808/a44a6248/attachment-0001.html>


More information about the OWASP-Leaders mailing list